08-24-2010 08:20 AM - edited 02-21-2020 04:03 AM
Hi,
Having just upgraded my PIXs to software v8 at last I was hoping to have them partake in OSPF on the network.
The PIXs all have lots of DMZs which I would like to advertise over OSPF to remove a *lot* of brittle static routes but of course I would like to *not* advertise or receive OSPF from those DMZs. I had assumed I could make those interfaces passive - or better still, issue:
router ospf 1
passive-interface default
And then exempt just the internal interface.
However, (unlike IOS) there seems to be no concept of passive in the PIX's OSPF implementation - a place where I thought it would be very useful...
How do I distribute those DMZs over OSPF without advertising OSPF into them?
I had considered using:
redistributed connected subnets
However, that redistributes things like the public Internet interface, which I don't want. Plus, even if there is a way to stop it including the public interface it seems more prone to user error than passive default with a single exception.
Any ideas? If not, can I limit the interfaces in redistributed connected subnets?
Thanks for any ideas!
Solved! Go to Solution.
08-25-2010 11:34 AM
Hi Peter,
thanks, yes.. i was suggesting to remove the dmz network commands under the OSPF process. As you mentioned, it wont really do what you are looking to do with removing the statics since its disabling ospf for that network.
Turning on eigrp would seem to be alot of extra work just to remove the statics if that is all that it will be used for but it would allow you to do the passive interface which would accomplish not snd/rcv eigrp out the specific interface.
I just reread your entire first message and i believe i understand now what you are after-- Going back to your first inquiry with the redistribution.. you can redistribute the static and use a route map to control which routes you are going to redistribute. You can then remove the networks for the dmz under the router ospf process.
example:
access-list ospfredist standard permit 10.10.10.0 255.255.255.0
access-list ospfredist standard permit 192.168.10.0 255.255.255.0
route-map static-ospf
match ip address ospfredist
router ospf 10
redistribute static subnets route-map static-ospf
this should redistribute only the statics that you listed above.
hope this helps a bit.
-scott
08-24-2010 01:47 PM
Hi Peter,
unfortunately, the asa/pix does not have the passive interface command like it is on eigrp. There is an enhancement request for this but there no info if it will be implemented any time soon.
For alternatives... you can not include the network in the ospf process. You would have to define your networks so that its not included there. I have seen customers use an ACL to block incoming traffic however outgoing ospf traffic is not able to be restricted.
Are you able to restrict the networks to not include the interfaces you are preferring not to do ospf?
regards,
scott
08-25-2010 08:12 AM
Scott,
Thanks for the reply, much appreciated.
I'm not sure what you mean by "not include the network in the ospf process". I think you mean to just not list the DMZs as networks to include in OSPF. So, if my current OSPF config looks like this
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network
network
network
network
network
You would suggest dropping all the "network
I was thinking I could otherwise:
1 seems like a complicated fix for a fairly small issue and I'm worried it brings a lot of complexity. 2 seems to be a little brittle, I still have to manage static routes...
Any opinion or other options? Thanks again.
08-25-2010 11:34 AM
Hi Peter,
thanks, yes.. i was suggesting to remove the dmz network commands under the OSPF process. As you mentioned, it wont really do what you are looking to do with removing the statics since its disabling ospf for that network.
Turning on eigrp would seem to be alot of extra work just to remove the statics if that is all that it will be used for but it would allow you to do the passive interface which would accomplish not snd/rcv eigrp out the specific interface.
I just reread your entire first message and i believe i understand now what you are after-- Going back to your first inquiry with the redistribution.. you can redistribute the static and use a route map to control which routes you are going to redistribute. You can then remove the networks for the dmz under the router ospf process.
example:
access-list ospfredist standard permit 10.10.10.0 255.255.255.0
access-list ospfredist standard permit 192.168.10.0 255.255.255.0
route-map static-ospf
match ip address ospfredist
router ospf 10
redistribute static subnets route-map static-ospf
this should redistribute only the statics that you listed above.
hope this helps a bit.
-scott
08-26-2010 02:22 AM
Scott,
That makes a lot of sense, and you are right - EIGRP probably is overkill.
A route-map is the right way to do this, not too sure why I didn't think of it...
I've taken your suggestion and it works great, the only thing I changed is rather than redistribute the statics from the routers, I've redistributed the connected subnets from the PIX instead - still using the same route-map to avoid including the outside route, etc.
(It just seemed more managable to keep the route map that lists what's on the PIX, on the PIX)
So, for anyone else who reads this, I changed:
router ospf 10
redistribute static subnets route-map static-ospf
To:
router ospf 10
redistribute connected subnets route-map static-ospf
And ran the lot on the PIX instead of the L3/router.
Scott, thanks again!
08-26-2010 10:53 AM
Hi Peter,
thats great news.. glad its working for you. Yes, initially, i was not thinking of that either and then when i re-read your problem and the responses you mentioned, i thought this sounds like the job of the route-map restricting specific routes on redistribution.
thanks.. have a nice day.
-scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide